I'm curious if anyone has been able to re-lock their bootloader or if there is a way to do so once a custom ROM has been loaded onto the Nexus 5X. I know that locking the bootloader on this phone once the system partition has been altered can brick the phone as the locking implementation of the bootloader is more secure from older phones as the option inside of the ROM to unlock the bootloader must be enabled in developer options in order to use the fastboot command to unlock the bootloader.
I'm interested in this as having an unlocked bootloader leaves the system partition exposed for people to bypass android's implementation of disk encryption.
With the bootloader unlocked the system partition is capable of being modified, which leaves a door open for someone to use an exploit on the system partition to steal the encryption key for the data partition and thus unlock the android phone and bypass the encryption feature.
In order to secure the encryption feature the bootloader needs to be locked, so the system partition can not be modified to allow an attacker to utilize an exploit and steal the encyption key for the data partition, however with the implementation of the newer bootloader this isn't possible on a custom ROM and can result in a brick if the bootloader is re-locked.
Just curious if there is a way to accomplish this without bricking the phone. So I would be able to run say Cyanogenmod with on a rooted phone with a custom recovery and lock the bootloader to ensure the security of the encryption that is used on the data partition. Additionally getting the bootloader to verify the validity of the system partition could be beneficial from a security perspective as well, so it can be ensured that it hasn't been modified.
Is this possible with a custom ROM?
Beakfire said:
I'm curious if anyone has been able to re-lock their bootloader or if there is a way to do so once a custom ROM has been loaded onto the Nexus 5X. I know that locking the bootloader on this phone once the system partition has been altered can brick the phone as the locking implementation of the bootloader is more secure from older phones as the option inside of the ROM to unlock the bootloader must be enabled in developer options in order to use the fastboot command to unlock the bootloader.
I'm interested in this as having an unlocked bootloader leaves the system partition exposed for people to bypass android's implementation of disk encryption.
With the bootloader unlocked the system partition is capable of being modified, which leaves a door open for someone to use an exploit on the system partition to steal the encryption key for the data partition and thus unlock the android phone and bypass the encryption feature.
In order to secure the encryption feature the bootloader needs to be locked, so the system partition can not be modified to allow an attacker to utilize an exploit and steal the encyption key for the data partition, however with the implementation of the newer bootloader this isn't possible on a custom ROM and can result in a brick if the bootloader is re-locked.
Just curious if there is a way to accomplish this without bricking the phone. So I would be able to run say Cyanogenmod with on a rooted phone with a custom recovery and lock the bootloader to ensure the security of the encryption that is used on the data partition. Additionally getting the bootloader to verify the validity of the system partition could be beneficial from a security perspective as well, so it can be ensured that it hasn't been modified.
Is this possible with a custom ROM?
Click to expand...
Click to collapse
No. Unless you want a paperweight
Sent from my Nexus 5X using Tapatalk 2
In short, doing so could brick your device and leave you without any method of recovery. You need to be stock to re-lock the bootloader. There are several threads about how to accomplish this (I would recommend Heisenberg's guide here under section 10: http://forum.xda-developers.com/nexus-5x/general/guides-how-to-guides-beginners-t3206930).
If this seems too daunting, you could also use the nexus toolkit, you can find info about that here: http://forum.xda-developers.com/nexus-5x/development/toolkit-wugs-nexus-root-toolkit-v2-1-0-t3258492.
I get it, reverting to stock isn't a problem for me I can do everything from fastboot without the toolkits.
I'd just like to be able to use the security features of the locked bootloader and the phone's encryption on a custom ROM, which at this point doesn't seem possible and wanted to see if anyone had been able to accomplish this somehow or if there were any progress in that direction.
In another note along these lines can the phone be de-googled (removal of GAPPS, google framework, etc... e.g. modify the system partition, root, etc.) and then re-locked? Or will the bootloader see that the system partition has been altered from the factory condition and error out? I could try.. just hesitant to as I don't want to brick it which is why I wanted to see if anyone had done something like this before.
Beakfire said:
I get it, reverting to stock isn't a problem for me I can do everything from fastboot without the toolkits.
I'd just like to be able to use the security features of the locked bootloader and the phone's encryption on a custom ROM, which at this point doesn't seem possible and wanted to see if anyone had been able to accomplish this somehow or if there were any progress in that direction.
In another note along these lines can the phone be de-googled (removal of GAPPS, google framework, etc... e.g. modify the system partition, root, etc.) and then re-locked? Or will the bootloader see that the system partition has been altered from the factory condition and error out? I could try.. just hesitant to as I don't want to brick it which is why I wanted to see if anyone had done something like this before.
Click to expand...
Click to collapse
This has never been possible since the origin of android. I wouldn't hold your breath
Sent from my Nexus 5X using Tapatalk 2
hopesrequiem said:
This has never been possible since the origin of android. I wouldn't hold your breath
Sent from my Nexus 5X using Tapatalk 2
Click to expand...
Click to collapse
Actually it is.
I have a 1st generation nexus 7 that I use in an in-car install that is running TWRP recovery, a kernel from SGT Meow that supports OTG host-mode charging and CM13 that I locked the bootloader on after I was done installing everything. It also has the data partition encrypted on it and everything on it works perfectly fine.
Beakfire said:
Actually it is.
I have a 1st generation nexus 7 that I use in an in-car install that is running TWRP recovery, a kernel from SGT Meow that supports OTG host-mode charging and CM13 that I locked the bootloader on after I was done installing everything. It also has the data partition encrypted on it and everything on it works perfectly fine.
Click to expand...
Click to collapse
I stand corrected I guess. That makes no sense to do in my opinion. The whole reason to unlock it initially is to be free to modify it. You modify it and give back that power? Makes no sense
Sent from my Nexus 5X using Tapatalk 2
Just curious, why does the OP think the encryption key could be stolen using the system partition?
Beakfire said:
Actually it is.
I have a 1st generation nexus 7 that I use in an in-car install that is running TWRP recovery, a kernel from SGT Meow that supports OTG host-mode charging and CM13 that I locked the bootloader on after I was done installing everything. It also has the data partition encrypted on it and everything on it works perfectly fine.
Click to expand...
Click to collapse
I also had nexus 4 and 5 running cyanogenmod or omnirom with a custom kernel and locked bootloader.
Of course, they did not have the idiotic 'allow oem unlocking' so there was no danger (and there was the bootunlocker app anyway).
Then again, if you use full disk encryption I'm not sure if there is a benefit to a locked bootloader from the encryption key perspective as that's in the ram memory, not on the system partition. Cold boot attack? Yes, probably, but the ordinary thief won't be able to spell cold.
My 5x is unlocked and at each reboot the bootloader says my device is corrupted, scary initially but I don't want the gapps cancer on my phone.
jisoo said:
Just curious, why does the OP think the encryption key could be stolen using the system partition?
Click to expand...
Click to collapse
I read a few papers on the weak points to android's encryption scheme.
The classic evil maid attack works against android using something called EvilDroid and there is also a forensic tool out there called FROST that can also accomplish the task of bypassing android's encryption.
Frost would be easier to use, since it only needs to be flashed to the recovery partition of an unlocked device. I was just reading up on it some, if someone could find the FROST image it would actually be very easy for someone with very little skill to implement a cold boot attack against an android device and gain access to the data on the encrypted partition of the phone.
The evil droid attack would be more difficult and someone would have to specifically target your phone. FROST could be used on any unlocked phone with an encrypted data partition and unlocked bootloader.
Here's a few links to the articles I was reading on the exploits:
http://isyou.info/jowua/papers/jowua-v5n1-4.pdf
https://www1.cs.fau.de/filepool/projects/frost/frost.pdf
There's also a kernel patch out there called ARMORED that is essentially TRESOR (TRESOR runs encryption securely outside RAM) for android driven ARM devices that would prevent FROST from working on a device with an unlocked bootloader. The evilmaid attack would still work though, but is really impractical for the average person to use such an attack on a smartphone.
ARMORED patch is available here:
https://www1.cs.fau.de/tresor/
I was reading on the android boot process here:
https://source.android.com/security/verifiedboot/verified-boot.html
The Nexus 5X supports the unlocked state so must be a class B implementation based up on that read, which means if a signed key is added to a ROM that is flashed it should boot with the yellow boot prompt indicating that the system was verified against an embedded certificate and not the OEM key.
The bootloader checks the /boot and /recovery partitions during the verification process from that article.
Currently mine boots with an orange screen, since it's unlocked.
I know most people aren't concerned with it, just with a modded device if I were to want to use the encryption feature if that FROST app were easily found on the web (I don't know if it is available somewhere) anyone that knows how to stick a phone in a freezer and use a single fastboot command would be able to decrypt the encrypted data partition on an unlocked phone.
haha and here's actually the attack with all the tools to use it available here:
https://www1.cs.fau.de/frost
It's obviously an older implementation of frost from 2012/2013 for the Galaxy Nexus that is up on that site though.
Beakfire said:
I read a few papers on the weak points to android's encryption scheme.
Click to expand...
Click to collapse
Honestly just steal the finger together with the phone instead of freezing stuff and messing around.
It is quickly done and and 95% of people will have the finger print sensor configured to bypass the lockscreen.
Beakfire said:
I read a few papers on the weak points to android's encryption scheme.
The classic evil maid attack works against android using something called EvilDroid and there is also a forensic tool out there called FROST that can also accomplish the task of bypassing android's encryption.
Click to expand...
Click to collapse
Look, I'm not expert I'm this, but I fail to see (even after reading on the FROST attack) how this attack would work.
The encryption key is itself encrypted by your password. If you use a strong enough password, this can't be bruteforced. It doesn't matter that someone retrieves the encryption key if they can't read it.
The FROST attack seems to be a method to retrieve the encryption key from a bootloader locked device (but you'd still need to bruteforce the password). So it's actually an attack which demonstrates how little unlocking the bootloader impacts encryption security in this case.
What's more, Nexus 5x uses HW storage for the encryption key, which makes it practically impossible to retrieve the key, locked or unlocked bootloader doesn't matter.
So apart from an evil maid attack (where someone changes your system so that it will record and transmit your password), I don't see how an unlocked bootloader would compromise the encryption itself.
---------- Post added at 01:26 PM ---------- Previous post was at 01:25 PM ----------
user822 said:
Honestly just steal the finger together with the phone instead of freezing stuff and messing around.
It is quickly done and and 95% of people will have the finger print sensor configured to bypass the lockscreen.
Click to expand...
Click to collapse
Fingerprint won't provide the password needed for decryption, so it only works if the device is already fully booted and partitions mounted.
jisoo said:
Fingerprint won't provide the password needed for decryption, so it only works if the device is already fully booted and partitions mounted.
Click to expand...
Click to collapse
That is absolutely true, but normally you steal phones that are switched on
And the "freezer" attack also needs a phone that was turned on before it seems
jisoo said:
Look, I'm not expert I'm this, but I fail to see (even after reading on the FROST attack) how this attack would work.
The encryption key is itself encrypted by your password. If you use a strong enough password, this can't be bruteforced. It doesn't matter that someone retrieves the encryption key if they can't read it.
The FROST attack seems to be a method to retrieve the encryption key from a bootloader locked device (but you'd still need to bruteforce the password). So it's actually an attack which demonstrates how little unlocking the bootloader impacts encryption security in this case.
What's more, Nexus 5x uses HW storage for the encryption key, which makes it practically impossible to retrieve the key, locked or unlocked bootloader doesn't matter.
So apart from an evil maid attack (where someone changes your system so that it will record and transmit your password), I don't see how an unlocked bootloader would compromise the encryption itself.
Click to expand...
Click to collapse
The critical paragraph from the article describes the vulnerability in dm-crypt which is the encryption subsystem android uses. Once it's booted and decrypted traces are left in RAM that expose the key and are not removed until power cut. The unlocked bootloader simply allows the FROST application to be installed without wiping the data partition. It can still be used to expose the key on a phone with a locked bootloader, however it's pointless as installation of FROST requires the data partition to be wiped as a result of unlocking the bootloader during the process. Below is from the paragraph about the dm-crypt vulnerability from the article from the people that used FROST to do a cold boot attack on an android phone.
However, it has not been reported yet if cold boot attacks are applicable against ARM-based devices such as smartphones and tablets, or against Android devices in particular. We conjecture such devices
are vulnerable, because Android's underlying encryption solution dm-crypt is already known to be vulnerable. Technically, it makes no difference if dm-crypt is running on ARM or an x86 architecture, because the vulnerability relies in the AES key schedule that is stored inside RAM. AES key schedules can be identified by recovery tools like aeskeyfind that search for suspicious patterns of a schedule in RAM. Dm-crypt is vulnerable to such tools, because it creates the AES key schedule initially inside RAM during boot and it gets lost only if power is cut.
Beakfire said:
The unlocked bootloader simply allows the FROST application to be installed without wiping the data partition. It can still be used to expose the key on a phone with a locked bootloader, however it's pointless as installation of FROST requires the data partition to be wiped as a result of unlocking the bootloader during the process.
Click to expand...
Click to collapse
Many devices allow you to boot external image even with bootloader locked. Using "fastboot boot" command which means, you can boot FROST on a device with bootloader locked, which makes things even worse.
Beakfire said:
Actually it is.
I have a 1st generation nexus 7 that I use in an in-car install that is running TWRP recovery, a kernel from SGT Meow that supports OTG host-mode charging and CM13 that I locked the bootloader on after I was done installing everything. It also has the data partition encrypted on it and everything on it works perfectly fine.
Click to expand...
Click to collapse
The reason you can lock your bootloader on a custom kernel is that LG's signing certificate had been leaked (available on XDA too) and it is therefore possible to sign a custom boot image (and recovery) with it. Those will pass bootloader signature check on boot. However, this is an anomaly; it was a scandal and LG has already "fixed" the situation. However, older devices (quite a few of them) can enjoy custom roms on locked bootloaders and they don't even have to unlock...
The other poster was right: it is impossible to boot a kernel that is not signed by OEM on a locked bootloader. Also, you won't hard brick your device, even if you install custom kernel on it: all you need to do is to reflash (not in fastboot) stock kernel and rom...
As far as forensics: if your data is encrypted; you have a long boot password that is not included into "word dictionary" used by brute-forcing apps; and your device is off, I wish a very good luck to even sophisticated crackers. They won't be able to brute-force you. However, your adversaries will use a "Moroccan Police" method: they'll beat you on the head until you give them the password. Never fails...
optimumpro said:
The reason you can lock your bootloader on a custom kernel is that LG's signing certificate had been leaked (available on XDA too) and it is therefore possible to sign a custom boot image (and recovery) with it. Those will pass bootloader signature check on boot. However, this is an anomaly; it was a scandal and LG has already "fixed" the situation. However, older devices (quite a few of them) can enjoy custom roms on locked bootloaders and they don't even have to unlock...
The other poster was right: it is impossible to boot a kernel that is not signed by OEM on a locked bootloader. Also, you won't hard brick your device, even if you install custom kernel on it: all you need to do is to reflash (not in fastboot) stock kernel and rom...
As far as forensics: if your data is encrypted; you have a long boot password that is not included into "word dictionary" used by brute-forcing apps; and your device is off, I wish a very good luck to even sophisticated crackers. They won't be able to brute-force you. However, your adversaries will use a "Moroccan Police" method: they'll beat you on the head until you give them the password. Never fails...
Click to expand...
Click to collapse
My nexus 7 is an Asus device, not LG.
I think most people missed the bus on this one, the idea is to have an alternate signing certificate that matches up with the custom ROM's software so that way you can use the bootloader locking feature with a non-OEM certificate that will be used instead of the OEM certificate to verify the boot and recovery partitions.
Per the read on the way the bootloader verification procedures work this should be possible, but I'm unaware of anyone doing it or that has made it possible yet.
On my Nexus 7 it's running Lollipop, so that may be part of it as well, I'm not sure if the boot verification parts came into play in android until Marshmallow and now it's becoming more strict with Nougat.
We should, however, be able to get to a yellow boot prompt during the verification procedure that verifies a modified boot, recovery and now system partition (with nougat) based off a non-OEM signing certificate that would have to be added to the boot image to verify those partitions during the boot process.
I just don't think anyone has bothered with it, as most people consider their devices insecure once physical security is lost on them or just don't care. However the point of this was to defeat the ability of an attacker to bypass the android encryption features on a device running a custom ROM and provide the added security of a locked bootloader on a modified device.
A locked bootloader is absolutely necessary to maintain the integrity of an android device, especially if physical control of that device is lost. I just wanted to see if anyone had managed to do so on a Nexus 5X with a custom ROM to regain the security features provided by a locked bootloader and secure android's encryption scheme.
Beakfire said:
My nexus 7 is an Asus device, not LG.
I think most people missed the bus on this one, the idea is to have an alternate signing certificate that matches up with the custom ROM's software so that way you can use the bootloader locking feature with a non-OEM certificate that will be used instead of the OEM certificate to verify the boot and recovery partitions.
Per the read on the way the bootloader verification procedures work this should be possible, but I'm unaware of anyone doing it or that has made it possible yet.
On my Nexus 7 it's running Lollipop, so that may be part of it as well, I'm not sure if the boot verification parts came into play in android until Marshmallow and now it's becoming more strict with Nougat.
We should, however, be able to get to a yellow boot prompt during the verification procedure that verifies a modified boot, recovery and now system partition (with nougat) based off a non-OEM signing certificate that would have to be added to the boot image to verify those partitions during the boot process.
I just don't think anyone has bothered with it, as most people consider their devices insecure once physical security is lost on them or just don't care. However the point of this was to defeat the ability of an attacker to bypass the android encryption features on a device running a custom ROM and provide the added security of a locked bootloader on a modified device.
A locked bootloader is absolutely necessary to maintain the integrity of an android device, especially if physical control of that device is lost. I just wanted to see if anyone had managed to do so on a Nexus 5X with a custom ROM to regain the security features provided by a locked bootloader and secure android's encryption scheme.
Click to expand...
Click to collapse
Unless your Asus has an open source bootloader (which very few devices do), there is no way you can boot a non stock kernel with a locked bootloader. I also think you are confusing locking bootloader with Android verity, which are 2 different things. Verity, as part of Android, kicks in after OEM bootloader verification. While you can do whatever you want with verity, you can't touch a closed source bootloader, which means you can't get to that OEM certificate. And while you can replace verity certificate with your 'alternative signing certificate', the same will have absolutely no effect on bootloader verfication.
There is one other possibility which is used in several devices: you can have stock kernel working with custom roms by way of hijacking one of hardware initiation scripts and have it open a separate ramdisk that is compatible with a custom rom. That's how my old Xperia ION with unlockable bootloader can run CM roms.
In other words, there are only 3 possibilities to have custom roms work with locked bootloaders: 1. Have an OEM certificate; 2. Open source bootloader; and 3. Second ramdisk compatible with custom roms. There is no other way.
So, if none of the above three applies to your Asus, then your locking procedure has not resulted in a locked bootloader, which also happens...
Also, locked bootloader does not provide any additional security. It only cares about boot and recovery partitions and has no effect on System. So, if a thief gets your device, all he has to do is flash it in flash mode with OEM official software to wipe everything clean, even if your boot loader cannot be unlocked. If the thief is after your data (regardless of encryption), locked bootloader doesn't help in any way. If government adversaries are after you, locked bootloader is no help either: they have data acquisition software that includes most if not all OEM's certificates.
optimumpro said:
Unless your Asus has an open source bootloader (which very few devices do), there is no way you can boot a non stock kernel with a locked bootloader. I also think you are confusing locking bootloader with Android verity, which are 2 different things. Verity, as part of Android, kicks in after OEM bootloader verification. While you can do whatever you want with verity, you can't touch a closed source bootloader, which means you can't get to that OEM certificate. And while you can replace verity certificate with your 'alternative signing certificate', the same will have absolutely no effect on bootloader verfication.
There is one other possibility which is used in several devices: you can have stock kernel working with custom roms by way of hijacking one of hardware initiation scripts and have it open a separate ramdisk that is compatible with a custom rom. That's how my old Xperia ION with unlockable bootloader can run CM roms.
In other words, there are only 3 possibilities to have custom roms work with locked bootloaders: 1. Have an OEM certificate; 2. Open source bootloader; and 3. Second ramdisk compatible with custom roms. There is no other way.
So, if none of the above three applies to your Asus, then your locking procedure has not resulted in a locked bootloader, which also happens...
Also, locked bootloader does not provide any additional security. It only cares about boot and recovery partitions and has no effect on System. So, if a thief gets your device, all he has to do is flash it in flash mode with OEM official software to wipe everything clean, even if your boot loader cannot be unlocked. If the thief is after your data (regardless of encryption), locked bootloader doesn't help in any way. If government adversaries are after you, locked bootloader is no help either: they have data acquisition software that includes most if not all OEM's certificates.
Click to expand...
Click to collapse
The Asus device is a Gen 1 Nexus 7, I don't believe the bootloader is open source as I'm always flashing the stock boot.img when I wipe and re-load it.
I am able to lock the bootloader after I'm complete with re-loading from fastboot. The locked bootloader does protect the device from some attacks where, as I mentioned on the first page of this thread, where an attacker can flash a modified recovery partition to the device and use it to dump the key-schedule from RAM in order to gain the key and decrypt an encrypted data partition.
You're also correct that the system partition isn't protected by the encryption which allows another exploit, as I mentioned on the first page.
In the case of a thief who is after the device, I'd agree it's of little to no use as they can simply unlock it, wipe and make it their own. However if they're also after your data they can use an exploit if the bootloader is unlocked to steal the key from RAM and decrypt your data partition. The likelihood of such an attacker is probably fairly small though.
I would seriously doubt that governments have the ability to unlock any encryption that is available. If reading the news has shown anything the government pays out a lot of money for zero day exploits in order to find ways to attack people's devices and take information. The more of these methods of attack that are removed from devices the more secure the encryption that they use becomes from attackers that would exploit the same attacks that governments do. The government also raised all of those problems with apple when there was an iPhone they could not get into and likely some type of exploit was utilized in order to bypass security features and brute force the pin-code which was probably too simple.
Attacking the encryption directly simply wouldn't be an option for anyone, attackers are always trying to find ways to steal the key or bypass security features and brute force simple keys to decrypt data.
A locked bootloader prevents an adversary from stealing an encryption key from RAM by installing a modified recovery partition, this secures data in your encrypted data partition in the event your phone is lost. So it absolutely does help protect the device. This was proven in the documents I posted on the first page of this thread.
Here's a diagram showing the boot flow of android's secure boot verity:
https://source.android.com/security/verifiedboot/verified-boot.html
It should be noted that android has the capability to boot into a yellow boot state, with a non-OEM key, will display that key's fingerprint and continue the boot process.
I can understand though, I suppose you can't change the bootloader's OEM key without the bootloader being open source which makes it a no-go, I just don't know enough about how to make android utilize a non-OEM certificate.
It does state in the verified boot process though that:
In Class B implementations, it is possible for the user to flash software signed with other keys when the device is UNLOCKED. If the device is then LOCKED and verification using the OEM key fails, the bootloader tries verification using the certificate embedded in the partition signature. However, using a partition signed with anything other than the OEM key results in a notification or a warning, as described below.
The notification or warning described below was the yellow boot state which is what I had thought to get to with a custom ROM. I think in Nougat with it strictly enforcing that possibility at all may be gone.
Here's another thread discussing it a bit:
http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/
My Nexus 7 probably works just fine with modifications and a locked bootloader because verity was not implemented until Marshmallow and I have never proceeded past Lollipop on my Nexus 7 since I need a modified kernel for it as its used in a in-car install.
So Pre-Marshmallow, unlocked bootloader, modifying and re-locking the bootloader not an issue, Marshmallow and beyond it's a problem.
Beakfire said:
The Asus device is a Gen 1 Nexus 7, I don't believe the bootloader is open source as I'm always flashing the stock boot.img when I wipe and re-load it.
I am able to lock the bootloader after I'm complete with re-loading from fastboot. The locked bootloader does protect the device from some attacks where, as I mentioned on the first page of this thread, where an attacker can flash a modified recovery partition to the device and use it to dump the key-schedule from RAM in order to gain the key and decrypt an encrypted data partition.
You're also correct that the system partition isn't protected by the encryption which allows another exploit, as I mentioned on the first page.
In the case of a thief who is after the device, I'd agree it's of little to no use as they can simply unlock it, wipe and make it their own. However if they're also after your data they can use an exploit if the bootloader is unlocked to steal the key from RAM and decrypt your data partition. The likelihood of such an attacker is probably fairly small though.
I would seriously doubt that governments have the ability to unlock any encryption that is available. If reading the news has shown anything the government pays out a lot of money for zero day exploits in order to find ways to attack people's devices and take information. The more of these methods of attack that are removed from devices the more secure the encryption that they use becomes from attackers that would exploit the same attacks that governments do. The government also raised all of those problems with apple when there was an iPhone they could not get into and likely some type of exploit was utilized in order to bypass security features and brute force the pin-code which was probably too simple.
Attacking the encryption directly simply wouldn't be an option for anyone, attackers are always trying to find ways to steal the key or bypass security features and brute force simple keys to decrypt data.
A locked bootloader prevents an adversary from stealing an encryption key from RAM by installing a modified recovery partition, this secures data in your encrypted data partition in the event your phone is lost. So it absolutely does help protect the device. This was proven in the documents I posted on the first page of this thread.
Here's a diagram showing the boot flow of android's secure boot verity:
https://source.android.com/security/verifiedboot/verified-boot.html
It should be noted that android has the capability to boot into a yellow boot state, with a non-OEM key, will display that key's fingerprint and continue the boot process.
I can understand though, I suppose you can't change the bootloader's OEM key without the bootloader being open source which makes it a no-go, I just don't know enough about how to make android utilize a non-OEM certificate.
It does state in the verified boot process though that:
In Class B implementations, it is possible for the user to flash software signed with other keys when the device is UNLOCKED. If the device is then LOCKED and verification using the OEM key fails, the bootloader tries verification using the certificate embedded in the partition signature. However, using a partition signed with anything other than the OEM key results in a notification or a warning, as described below.
The notification or warning described below was the yellow boot state which is what I had thought to get to with a custom ROM. I think in Nougat with it strictly enforcing that possibility at all may be gone.
Here's another thread discussing it a bit:
http://www.xda-developers.com/a-look-at-marshmallow-root-verity-complications/
My Nexus 7 probably works just fine with modifications and a locked bootloader because verity was not implemented until Marshmallow and I have never proceeded past Lollipop on my Nexus 7 since I need a modified kernel for it as its used in a in-car install.
So Pre-Marshmallow, unlocked bootloader, modifying and re-locking the bootloader not an issue, Marshmallow and beyond it's a problem.
Click to expand...
Click to collapse
With all due respect, but you are mistaken regarding boot states you referenced. Google have no access to OEM bootloader certificate. And under no circumstances it can boot a device that failed OEM certification. All it can do is read the state: verfied or not.
Regarding your Asus. There is no way you can boot a non stock kernel on a locked bootloader. If you can, then your bootloader is not locked and you can flash whatever you want. See if you can get to fastboot on your locked bootloader. If you can, it is not locked. If you can't, you are NOT using a modified kernel. There is no third option.
Locked bootloader security: if your phone is turned off and data encrypted, no one can get to your data even if they fastboot whatever they want. The key wouldn't get into ram until data is decrypted. If your phone is on and it gets into your adversary's hands, he doesn't need to flash anything: he can get encryption key from ram on a live device.
I am not saying the government can break encryption, but that their image acquisition software has OEM certificates I know for a fact, which means they can boot modified images signed with OEM certificates, which defeats bootloader locking...
Edit: the yellow state and the fact that the embedded key is NOT the OEM key indiates that bootloader is unlocked, so you get a yellow light telling you that you or someone else had unlocked your bootloader and modified kernel/recovery; then it waits and if there is no action from you, it boots. Useless.... It only protects somewhat against an over-the-air attack on your system: stagefreight et all. Also useless, because if someone needs to attack you, they can do that via baseband. This is one of Google's "innovations" which gives user a sense of security only...
Hey,
I have been searching for an answer to this for quite a while, and I've found some information. Before you start bashing me in the comments, I do know that Nokia has disabled unlocking bootloaders on certain devices. My question is, is there 100% no (free) way of unlocking the bootloader on my phone, or just in general to get root. I am running Android 9, and I do have adb (of course).
Thank!
Also interested in this ... Don't want to let someone mess around with my phone .. used to do it myself
Short answer, no. By the looks of it there are currently no free tools, etc.
Long answer, yes but not accessible for us currently. There are ways to gain root access/unlock the bootloader on every device. Currently there are some unpatched exploits (that sometimes cannot even be fixed) in the Linux and Android system that are able to root devices, etc. The last few years showed that Baseband (proprietary Qualcomm code), the RAM (Rowhammer, Rampage) and other device features are attackable. Maybe KingoRoot or someone else might implement these exploits in the following years, and we get a free utility to root devices.
Bootloader unlock for Nokia phones!
_xNyx_ said:
Hey,
I have been searching for an answer to this for quite a while, and I've found some information. Before you start bashing me in the comments, I do know that Nokia has disabled unlocking bootloaders on certain devices. My question is, is there 100% no (free) way of unlocking the bootloader on my phone, or just in general to get root. I am running Android 9, and I do have adb (of course).
Thank!
Click to expand...
Click to collapse
Visit the link below
https://www.nokia.com/phones/en_int/bootloader/
I'm quite new to this rooting stuff, therefore a few stupid questions:
I read that with old security patches, before Aug 2018 (was that still Android Pie?) it was possible to unlock the bootloader. Isn't there some way to downgrade the security patch to a version allowing to unlock?
Is it at all required to unlock the bootloader in order to be able to install LineageOS as provided by this link?
many thanks!
EDIT: Can you recommend any working alternative way to unlock the bootloader?
Frozen_Duck said:
Short answer, no. By the looks of it there are currently no free tools, etc.
Long answer, yes but not accessible for us currently. There are ways to gain root access/unlock the bootloader on every device. Currently there are some unpatched exploits (that sometimes cannot even be fixed) in the Linux and Android system that are able to root devices, etc. The last few years showed that Baseband (proprietary Qualcomm code), the RAM (Rowhammer, Rampage) and other device features are attackable. Maybe KingoRoot or someone else might implement these exploits in the following years, and we get a free utility to root devices.
Click to expand...
Click to collapse
belzebubi said:
I'm quite new to this rooting stuff, therefore a few stupid questions:
I read that with old security patches, before Aug 2018 (was that still Android Pie?) it was possible to unlock the bootloader. Isn't there some way to downgrade the security patch to a version allowing to unlock?
Is it at all required to unlock the bootloader in order to be able to install LineageOS as provided by this link?
many thanks!
EDIT: Can you recommend any working alternative way to unlock the bootloader?
Click to expand...
Click to collapse
August 2018 would have been Oreo and YES currently you have to roll back to unlock bootloader. It's a PAID service to have this done. @singhnsk can aid you in doing this service. I as well as many others have used him to unlock our devices. You will have to use Team Viewer and let him remotely do his work.
Good luck!!
And actually, the main question is how to unlock? Bootloaderunlocker.apk dont work, it say me "google service error" help me please
OEM unlocked for Nokia 7.1 and for all nokia
Hi guys I am new here also searching for unlocking the bootloader for Nokia I read this method somewhere tried my self with some tweaks it worked
1. Open the developer option and turn it off.
2. Again turn it on but skip the on screen option for ok and cancle again turn the developer option off.
3.now trim developer option again click ok and as soon as you do it click on oem unlocking it will show a message to reboot the mob do it.
4. After rebooting you will see the oem unlock is still off just step 1,2and 3 vola bootloader is unlocked now
Comment if it works
Thanx
Sourabh22kori said:
OEM unlocked for Nokia 7.1 and for all nokia
Hi guys I am new here also searching for unlocking the bootloader for Nokia I read this method somewhere tried my self with some tweaks it worked
1. Open the developer option and turn it off.
2. Again turn it on but skip the on screen option for ok and cancle again turn the developer option off.
3.now trim developer option again click ok and as soon as you do it click on oem unlocking it will show a message to reboot the mob do it.
4. After rebooting you will see the oem unlock is still off just step 1,2and 3 vola bootloader is unlocked now
Comment if it works
Thanx
Click to expand...
Click to collapse
You da Man! I had to try it a few times, but it worked.
Just to clarify point 3.
3. Now turn developer option on again click OK and as soon as you do you will be returned to previous menu. Immediately click "OEM unlocking", it will show a message and ask your password, (if set), and work.
Thread closed as a subject matter related thread already exists:
How to Unlock Bootloader & Root Nokia 6.1?
Hello Guys! anybody know how to unlock this phone TA-1089 and root? currently it's running on latest software update Android 9 ( January Patch) kindly help please.
forum.xda-developers.com
Regards
Oswald Boelcke
Senior Moderator
hello everyone
i have device SM-G960F Indonesia
with latest modem and bootloader which is G960FXXUHFVB4
security patch 1 march 2022
developer option is = ON
OEM UNLOCKING = ON (Bootloader already unlocked)
USB DEBUGGING = ON
*in Download mode
RMM STATE = PRENORMAL
KG STATE = CHECKING....
FRP LOCK = OFF
OEM LOCK = OFF
the question is , i can't install twrp. how ?
error : "Only Official binaries are allowed to be flashed".
i've been looking to google page 2 but no solution
1. from changing the date trick,
2. using miracle box to baypass the rmm
none of them works,
i still can't install twrp, error : "Only Official binaries are allowed to be flashed"
if there's anyone who can solve my problem, i owe you my thanks.
I don't know if it applied to the S9, but most recent Samsung phones have a very particular way of fully unlocking the bootloader as such
How to unlock bootloader:
- Backup all your media, this process will delete your internal media including music and photos
- Go to developer settings and enable [OEM Unlock]
- Reboot to download mode
- When prompted, press and hold VOL + to enter bootloader unlock mode
- Press VOL + to confirm you want to unlock bootloader, this will wipe your data
- If you think the bootloader is fully unlocked, it is actually not! Samsung introduced VaultKeeper, meaning the bootloader will still reject any unofficial partitions before VaultKeeper explicitly allows it.
- Go through the initial setup. Skip through all the steps since data will be wiped again later when we flash TWRP and magisk
- Enable developer options, and confirm that the OEM unlocking option exists and is grayed out. This means the VaultKeeper service has unleashed the bootloader. This step is MANDATORY
- Your bootloader now accepts unofficial images in download mode.
still not wroking sir,
below is the guide exactly like you.
How to Unlock Bootloader on any Samsung Device [New VaultKeeper Method]
In this guide, we will sho you how to unlock the bootloader on any Samsung device, keeping in mind the new VaultKeeper mechanism.
www.droidwin.com
i still got message "Only Official binaries are allowed to be flashed".
thanks for your help
nurulganong said:
still not wroking sir,
below is the guide exactly like you.
How to Unlock Bootloader on any Samsung Device [New VaultKeeper Method]
In this guide, we will sho you how to unlock the bootloader on any Samsung device, keeping in mind the new VaultKeeper mechanism.
www.droidwin.com
i still got message "Only Official binaries are allowed to be flashed".
thanks for your help
Click to expand...
Click to collapse
Yeah it looks like the guide really covered their bases. Check download mode and check unlock mode to see if it asks you to unlock (and not lock) the device.
I've had Samsung devices in the past that required this step more than once since the first time it still gave me the option to unlock instead of locking, which means that it didn't really unlock in the first place.
Has anybody solved this issue?